Method and system for initiating secure transactions within a defined geographic region

ABSTRACT

An approach for enabling contextual categories to be associated and scored in connection with a defined geographic region is described. A transient services platform establishes, based on biometric authentication of a user, a limited session for completing a transaction. The transient services platform then determines, based on a defined geographic region, a context to associate with the transaction. Credentials associated with the user are transferred to the transaction agent based on the authentication and the determined context.

BACKGROUND INFORMATION

Service providers are continually challenged to deliver value andconvenience to consumers by providing compelling network services andadvancing the underlying technologies. One area of interest has been thedevelopment of services for enabling secure execution of transactions.Typically, service providers designate Trusted Service Managers (TSM)and associated one time passwords in software, hardware or a combinationof both to facilitate secure execution. Resultantly, the context of thetransactional session to be performed is based on what the user uniquelyknows (e.g., a pin or rolling password) and what the user has in theirphysical possession (e.g., a phone with a specific type of e-mail clientand/or digital key fob). Still further, some transactional sessionsrequire direct validation of location or presence information providedby the user's mobile device. Hence, traditional approaches provide noconvenient way to facilitate execution of transactions without relianceupon user or device centric contextual information.

Based on the foregoing, there is a need for enabling transactions to beperformed securely and efficiently.

BRIEF DESCRIPTION OF THE DRAWINGS

Various exemplary embodiments are illustrated by way of example, and notby way of limitation, in the figures of the accompanying drawings inwhich like reference numerals refer to similar elements and in which:

FIG. 1 is a diagram of a system for enabling transactions to beperformed securely within a defined geographic region, according to oneembodiment;

FIG. 2 is a diagram of the components of a transient services platform,according to one embodiment;

FIGS. 3A-3C are flowcharts of processes for enabling transactions to beperformed securely within a defined geographic region, according tovarious embodiments;

FIGS. 4A-4C are diagrams depicting a user accessing the transientservices platform of FIG. 2 to perform a transaction via a transactionagent, according to various embodiments;

FIG. 5 is a computer system that can be used to implement variousexemplary embodiments; and

FIG. 6 is a diagram of a chip set that can be used to implement anembodiment of the invention.

DESCRIPTION OF THE PREFERRED EMBODIMENT

An apparatus, method and software for enabling transactions to beperformed securely within a defined geographic region is described. Inthe following description, for the purposes of explanation, numerousspecific details are set forth in order to provide a thoroughunderstanding of the present invention. It is apparent, however, to oneskilled in the art that the present invention may be practiced withoutthese specific details or with an equivalent arrangement. In otherinstances, well-known structures and devices are shown in block diagramform to avoid unnecessarily obscuring the present invention.

Although the various exemplary embodiments are described with respect totransactions, it is contemplated these embodiments have applicability toany instructions, activities, or processes to be carried out inconnection with a user or item associated with the user, includingsoftware and hardware related processes. Also, while various embodimentsare described with respect to personal items of a user in the form of amobile device, it is contemplated these embodiments have applicabilityto any sensor based items, including encoded cards (e.g., plastic cards,Smart Cards), personal sensors (e.g., fobs or identificationtransmitters) and the like.

FIG. 1 is a diagram of a system for enabling transactions to beperformed securely within a defined geographic region. As notedpreviously, different types of transactions may be carried out by userstoday by way of wireless means or automated means. For example, a securepurchase transaction may be carried out via a user's mobile device,wherein the user submits their payment credentials to a vendor viawireless communication such as near-field communication (NFC) or othershort-range communication. Under this scenario, the identification ofthe mobile device through which the transaction is performed is requiredin addition to entry of a password or other security credential known tothe user. Still further, the transaction is initiated in response todetection of the user being physically located at a certain place orwithin proximity of a supporting Trusted Service Manager (TSM).

Hence, the context of the transaction is directly indicated by the useror discerned by way of various active sensors of the user's mobiledevice. Unfortunately, traditional approaches provide no convenient wayto facilitate execution of transactions without reliance upon user ordevice centric contextual information being directly provided. Stillfurther, many applications and services that facilitates execution oftransactions rely upon manual data entry (e.g., entry of credit cardnumbers or pin number) as a function of the application or for securityreasons; thus limiting the ability of users to seamlessly execute securetransactions of various contexts (e.g., types) as they travel about.

To address this issue, the system 100 includes a transient servicesplatform 103 that enables a combination of security and location basedfeatured to be performed in connection with the facilitation of atransaction. By way of example, the transient services platform 103 isconfigured to manage a session for enabling a transaction completionprocess to be carried out over a limited period of time. The limitedtime frame corresponds to a one-time execution of the session inresponse to a request. Also, the limited time frame corresponds to aperiod of time (e.g., seconds) in which the user may provide thenecessary inputs required to facilitate the transaction or the allottedtime for completion of the overall transaction.

The transactional session is performed in connection with the user andvarious transaction agents 105 a-105 n. Initiation of the request aswell as fulfillment of the transaction for the user can be based on thefollowing: (a) what the user uniquely knows (e.g., a password, fact,authoriziation data); (b) what the user uniquely has (e.g., a personalitem associated with the user); (c) what the user uniquely is (e.g., aconfirmed/authorized user or agent for initiating and completing thetransaction); and (d) contextual derivation of applicability.

The above described factors correspond to one or more security and/orlocation based executions that are managed by the transient servicesplatform 103. In particular, the executions are enabled to be performedwith minimal intervention of the user beyond the point of userauthorization to carry out the transaction (e.g., item (c) above).Moreover, the context of the transaction may be determined with noreliance upon sensed/collected/real-time context information gatheringby a device (e.g., user device 101) associated with the user. Rather, incertain embodiments, the transient services platform 103 accesses scoredgrid data 108 for deriving a relative location of the user andassociating a context (e.g., a transaction type) with the user based onthe location. The scored grid data may be accessed from third-partylocation based service (e.g., service 121) or other enabling datarepository made available to the transient services platform 103 orservice provider thereof.

By way of example, the scored grid data 108 includes data correspondingto location information references via defined grid database 108, e.g.,United States National Grid (USNG) reference system or any otherreference grid. Alternatively, the defined grid data 108 may include anyother location data source, geodetic data source, topographic datasource, geographic information system or the like for specifying andnaming points/coordinates within a particular geographic region. Stillfurther, the scored grid data 108 is associated with one or morescores/and or signal strengths, which represent a level of affinity ofthe defined geographic area 104 with specific contextual categories. Thelevel of affinity, therefore, represents a likelihood of presence,prevalence or concentration of specific points-of-interest (POIs)matching a particular contextual category associated with the definedgeographic region 104, e.g., a 10×10 meter region for the USNG. Forexample, in the case of a scaled ranking from 1-to-10, a score of 8.2for POIs corresponding to the contextual category of “Restaurants” mayindicate a higher propensity for restaurants to be located within thesame geographic region than “Amusement Parks” at 2.4. Hence, thetransient services platform 103 may deduce, based on the scored griddata 108, that a transaction request associated with the definedgeographic region 104 is associated with a restaurant transaction. It isnoted, also, that the scores may also correspond to a strength signaland associated color coding for indicating the level of affinity of theregion 104 with a given context as well as a contextual category (e.g.,transaction type) of which the region 104 is aligned.

As will be discussed further, the transaction agents 105 a-105 n may beplaced at various locations throughout the defined geographic region 104for use in connection with the transient services platform 103 tofacilitate a transactional session. The scored grid data 108 maytherefore be cross-referenced against a list of known transactionalagents corresponding to the geographic area for deducing a relatedcontext of the transaction.

In certain embodiments, one or more transaction agents 105 a-105 n, areconfigured for operation within a defined geographic region 104 tointeract with a personal item of the user for facilitation of atransactional session. In certain embodiments, the transaction mayinclude any series of steps, processes or executions required to enablefulfillment of an arrangement between parties, e.g., a vendor and auser. The transaction may include a purchase transaction, a data accesstransaction, a security transaction, an actuation action, or the like.Under this scenario, the transaction may be associated with a parkinggarage, a vending mechanism, a security gate, a door lock, turnstiles,person-to-person payments, a data download, server access, facilityentry, ticket and/or coupon redemption, etc.

The transaction agents 105 a-105 n are configured, in certainembodiments, to be placed within proximity of the location of thetransaction. For instance, in the case of a transaction involving aturnstile, the transaction agent may be implemented as a software orhardware device that is incorporated within, affixed to, or placed nearthe turnstile. Similarly, in the case of a vendor booth, the transactionagent may be incorporated within a point-of-sales terminal or placed ina location that is visible to the user near the booth. Under thisscenario, the transaction agent 105 may include various wireless and/orsensor detection components for both transmitting and receiving signalsfrom the mobile device 101 or other personal item 102 of a user. Hence,transaction agents 105 a-105 n may be used to initiate and facilitateexecution of a transaction in connection with the user device 101 orother personal item 102. The personal item may include a user device(UD) 101 of the user, a sensor based card, a personal transmitter (e.g.,fob or radio frequency transmitter) or the like.

In certain embodiments, the transient services platform 103 manages thevarious transaction agents 105 a-105 n, including facilitating executionof a transaction based on a bonding procedure between the transactionagents and the personal item 102 and/or user device 101. By way ofexample, a bonding procedure pertains to the ability of a user toseamlessly transfer transaction related credentials, such as passwords,credit card information or identification data, to a correspondingtransaction agent 105 a-105 n. Under this scenario, the credentials areaccessed from a credential management service 107 that maintainscredentials data 110 in connection with a given user. As such, thetransient services platform 103 interacts with the credential managementservice 107 to access the data 108 in response to a request forcompletion of a transaction in connection with a user via a transactionagent 105.

It is noted that the transient services platform 103 may therefore,operate in direct connection with or on behalf of the varioustransaction agents and/or the credential management services. Thetransient services platform 103 is configured to communicate with thecarious transaction agents 105 a-105 n independently, or in connectionwith one or more associated services operable in conjunction with theagents 105 a-105 n. This may include, for example, a payment processingservice or order fulfillment service. While implementations may vary,the transient services platform 103 is configured to bridge thetransactional executions of the respective services 121 a-121 n,transaction agents 105 a-105 n and respective sites where saidtransactions are to occur. Also, in the case of a personal item in theform of a user device (UD) 101, e.g., mobile device, the transientservices platform 103 permits various applications 117 having functionsfor carrying out transactions to be fulfilled with minimal interactionof the user.

For the purpose of illustration, the bond is formulated based on a“handshake” or other triggering mechanism related to or initiated by theuser. Hence, the handshake for initiating a bond may occur via a gestureperformed by the user, audible/inaudible sound input provided by theuser or visible/non-visible light wave input. Under this scenario, thegesture, sound or light signal may correspond to a secret pattern ofinputs required to be provided by the user as they are within physicalproximity of the transaction agent 105. Transference of the secretpattern may be facilitated, in certain embodiments, by way of a bondapplication 118 operating at the user device 101. Alternatively, thetransference mechanism may be encoded as one or more instructions of thepersonal item 102, e.g., encoded within a sensor of a plastic card foractivation based on a proximity condition.

In certain embodiments, initiation of a transactional session isauthorized for commencement based on biometric authentication of theuser. For example, a biometric module 123 may be configured to gather,exchange and process multiple different types of biometric datapertaining to the user. This includes, for example, the gathering ofvoice data concurrent with the gathering of video data of the user'sface. Various sensors of the user device 101 are employed to facilitatethe gathering of voice and face characteristics of the user.Alternatively, a collection system, device or sensor bank at thelocation of the transaction agent 105 may be used to gather the data. Itis contemplated that the biometric authentication of the user may beperformed at the user device 101, by the transient services platform103, or a combination thereof for enabling a level of secure transactionauthentication to be performed.

Also, in certain embodiments, the biometric module 123 may operate inconnection with the bond application 118, such that when the bondapplication 118 is called for execution, a preliminary authentication ofthe user is performed. Actual biometric authentication of the user mayestablished as criteria for execution of the bond application 118—e.g.,for initiating a bonding procedure between a specific personal item 102and/or user device 101 and the various transaction agents 105 a-105 n.

In summary, the following scenarios exist with respect to system 100 forfacilitating a transactional session. In one scenario, the user thatsolicits a request for a transactional session is a person currentlylocated in the defined geographic region 104, having access to one ormore transaction agents 105 a-105 n. The user is aware of a fact, e.g.,password, that can be cross-checked by the transient services platform103 against something the user has physical access to, e.g. user device101 or personal item 102.

In another use case, the personal item may be used to initiate a bondingprocedure in conjunction with the transaction agent 105, e.g., based ona secret pattern. The secret pattern may correspond to a combination ofgestures, sounds or light wave inputs. Also, the transient servicesplatform 103 has access to scored grid data 108 regarding the definedgeographic region 104, therefore enabling the platform 103 to correlatea specific contextual category, and therefore transaction type, with thedefined geographic region 104. Further, a number of transaction agents105 a-105 n are also located in the same defined geographic range 104,and particularly, activated from within the same proximity of the user.

Based on the above explanation, an exemplary transactionalsession/procedure carried out with respect to the platform 103 of system100 is as follows: (1) the user provides biometric authentication, e.g.,done locally, for enabling a session request to be initiated. This mayinclude facial recognition, fingerprint authentication, retinalscanning, brain wave pattern scanning, Deoxyribonucleic Acid (DNA)scanning, etc.; (2) the session request is enabled wirelessly, asfacilitated via a bonding mechanism between the transaction agents 105and a personal item 102 of the user. Validation of the handshake may befacilitated or confirmed by the transient services platform 103 by wayof transference of the input data (e.g., motion and/or light data) via acommunication network; (3) the transient services platform 103 accessesscored grid data 108 based on an association between the transactionagents 105 a and the defined area 104 in which they are located; and (4)the transient services platform 103 derives, based on the scored griddata 108, the possible transaction types/contexts of the request byanalyzing the respective scores and the qualified transaction agents 105for the corresponding region 104.

It is noted that the transient services platform 103 allows foranonymity to be maintained during the transactional session. Hence,while there is non-repudiatable cross-referencing of the transactionalagents for a given geographic area or cross-referencing of userbiometric data with a profile of the user, no sensor data is gatheredwith respect to the user. Moreover, the transient services platform 103is contextually agnostic, therefore enabling the context to be definedsubsequent to the request as opposed to being a conditional variable forfacilitation of the transactional request. As such, the transientservices platform 103 may be used in connection with various user device101 and other personal items of the user as an alternative to near-fieldcommunication. Under this approach, user device 101 generated sensordata is not required to support the transactional process.

It is noted that user devices 101 a-101 n may be any type of mobileterminal, fixed terminal, or portable terminal including a mobilehandset, station, unit, device, multimedia computer, multimedia tablet,Internet node, communicator, desktop computer, laptop computer, PersonalDigital Assistants (PDAs), smartphone or any combination thereof. It isalso contemplated that the user devices 101 a-101 n can support any typeof interface for supporting the presentment or exchange of data. Inaddition, user devices 101 a-101 n may facilitate various input meansfor receiving and generating information, including touch screencapability, keyboard and keypad data entry, voice-based input mechanismsand the like. Any known and future implementations of user devices 101are applicable. For the purpose of illustration, user devices 101 a-101n may be devices for accessing the affinity determination platform 103as a user of an application 118 or as a service provider.

In certain embodiments, user devices 101 a-101 n, the affinitydetermination platform 103, services 105 and other elements of system100 may be configured to communicate via a service provider network 109.According to certain embodiments, one or more networks, such as datanetwork 111, telephony network 113, and/or wireless network 115, caninteract with the service provider network 109. Networks 109-115 may beany suitable wireline and/or wireless network, and be managed by one ormore service providers. For example, telephony network 113 may include acircuit-switched network, such as the public switched telephone network(PSTN), an integrated services digital network (ISDN), a private branchexchange (PBX), or other like network.

Networks 109-115 may employ various technologies for enabling wirelesscommunication including, for example, code division multiple access(CDMA), long term evolution (LTE), enhanced data rates for globalevolution (EDGE), general packet radio service (GPRS), mobile ad hocnetwork (MANET), global system for mobile communications (GSM), Internetprotocol multimedia subsystem (IMS), universal mobile telecommunicationssystem (UMTS), etc., as well as any other suitable wireless medium,e.g., microwave access (WiMAX), wireless fidelity (WiFi), satellite, andthe like. Meanwhile, data network 111 may be any local area network(LAN), metropolitan area network (MAN), wide area network (WAN), theInternet, or any other suitable packet-switched network, such as acommercially owned, proprietary packet-switched network, such as aproprietary cable or fiber-optic network.

Still further, the communication provider network may embodycircuit-switched and/or packet-switched networks that include facilitiesto provide for transport of circuit-switched and/or packet-basedcommunications. It is further contemplated that networks 109-115 mayinclude components and facilities to provide for signaling and/or bearercommunications between the various components or facilities of system100. In this manner, the communication network 105 may embody or includeportions of a signaling system 7 (SS7) network, Internet protocolmultimedia subsystem (IMS), or other suitable infrastructure to supportcontrol and signaling functions.

It is noted, though not shown in the figure, that in certain embodimentsuser devices 101 a-101 n may be configured to establish peer-to-peercommunication sessions with each other using a variety oftechnologies—near field communication (NFC), Bluetooth, ZigBee,infrared, etc. Also, connectivity can be provided via a wireless localarea network (LAN). By way of example, a group of user devices 101 a-101n may be configured to a common LAN so that each device can be uniquelyidentified via any suitable network addressing scheme. For example, theLAN may utilize the dynamic host configuration protocol (DHCP) todynamically assign “private” DHCP internet protocol (IP) addresses toeach user device 101, e.g., IP addresses that are accessible to devicesconnected to the service provider network 109 as facilitated via arouter.

FIG. 2 is a diagram of the components of a transient services platform,according to one embodiment. The transient services platform 103includes various executable modules for performing one or morecomputing, data processing and network based instructions that incombination provide a means of enabling transactions to be performedsecurely within a defined geographic region. Such modules can beimplemented in hardware, firmware, software, or a combination thereof.By way of example, the transient services platform 103 may include anauthentication module 201, a context interpreter 203, an initiationmodule 205, a scored data access module 207, a services access module209, a user interface module 211 and a communication interface 213.

In addition, the transient services platform 103 also accesses thescored grid data 108, such as from a third-party location based serviceprovider. In addition, the platform may maintain profile data 215related to one or more users subscribed with a provider of the platform103. Still further, while not shown, the platform 103 may accesscredentials data 110 related to the user, as maintained by a credentialmanagement service. It is noted that modules 201-213 access one or moreof these peripheral data sources for performing their respectivefunctions.

In one embodiment, an authentication module 201 authenticates users ofuser devices 101 or personal item 102 for interaction with the platform103. By way of example, the authentication module 201 receives a requestto subscribe to the platform 103. The subscription process may include,for example, establishing one or more access credentials and usagepolicies, along with biometric profile data related to the user. One ormore privacy settings and/or preferences may also be established,including a secret pattern to be used in connection with a bondingprocedure. Preferences and settings information may be referenced to aspecific user, user device, service provider, or combination thereof,and maintained as subscription data (not shown).

The authentication process performed by the module 201 may also includereceiving and validating access credentials for a particular user. Forexample, a login name and/or user identification value may be receivedfrom the user device 101 or other device via a graphical user interfaceto the platform 103 (e.g., as provided via a transaction agent).Subscription data for respective subscribers, which contains pertinentuser or device profile data, may be cross referenced as part of thelogin process. Alternatively, the login process may be performed throughautomated association of profile settings maintained as registrationdata 217 with an IP address, a carrier detection signal of a userdevice, mobile directory number (MDN), subscriber identity module (SIM)(e.g., of a SIM card), radio frequency identifier (RFID) tag or otheridentifier.

It is contemplated, in certain embodiments, that the authenticationmodule 201 may also be configured to perform various biometricauthentication procedures. This corresponds to an implementation whereinthe authentication is not performed locally, e.g., via the user device.Alternatively, a combination of local device and/or transaction agentrelated processing may be performed concurrent with platform 103 basedauthentications to facilitate expedited user authentication. Regardlessof the implementation, the authentication module 201 receives initialrequests for establishment of a transactional session via the platform103.

In one embodiment, the context interpreter 203 identifies a specific setof contextual categories, per the categories data 107 a, are to berelated to a particular defined geographic region. The interpreter 203then associates a particular transaction type with the particulartransaction agents corresponding to the request received by theauthentication module 201. Operating in connection with the contextinterpreter 203 is the scored data access module 207, which facilitatesthe gathering of scored grid data 108 from a third party location basedservice. The context interpreter thus analyzes the scored grid data aswell as cross references the data against a list of known transactionagents 105 associated with the defined region.

In one embodiment, the initiation module 205 receives a request tocomplete the transaction via a transaction agent associated with adefined geographic region. This includes authenticating a handshakeassociated with the bonding procedure. Hence, the initiation module 205may verify the authenticity of a given secret pattern provided per thehandshaking process. In addition, the module 205 may also triggerexecution of the services access module 209 for facilitatingestablishment of a session with a credentials management service 107associated with the user, e.g., as indicted within the profile data 215.As noted, the credentials management service may host specific datarelated to the user required for fulfilling a transaction, includingcredit card information, access and/or security information, etc.

The initiation module 205 utilizes the results of the contextinterpreter 203 to indicate to the credential management service whichparticular credentials are required. For example, in the case of apurchase transaction, payment processing credentials are requested. Inthe case of user access to a security gate or other barrier, associatedaccess information is requested. Once the appropriate credentials areaccessed, the initiation module 205 further initiates transfer of thecredentials associated with the user to the transaction agent associatedwith the defined geographic region. The initiation module then alertsthe authentication module 201 of completion of the transaction, whichcauses an ending of the established transaction session via thecommunication interface 213.

In one embodiment the user interface module 211 enables presentment of agraphical user interface for presenting the output data 110. By way ofexample, the user interface module 211 generates the interface inresponse to application programming interfaces (APIs) or other functioncalls corresponding to a browser application or dedicated application;thus enabling the display of graphics primitives. As another example,the user interface module 211 may also operate in connection with acalling service or application to permit rendering, transformation, ortranslation of the output data in response to a request.

In one embodiment, a communication interface 213 enables formation of asession over a network 109 between the platform 103, the services 121and/or 107 and the transaction agents 105. By way of example, thecommunication interface 213 executes various protocols and data sharingtechniques for enabling collaborative execution between a subscriber'suser device 101 (e.g., mobile devices, laptops, smartphones, tabletcomputers, desktop computers, servers, workstations) and the platform103 over the network 109. It is noted that the communication interface213 is also configured to support a browser session—e.g., the retrievalof content as referenced by a resource identifier during a specificperiod of time or usage of the browser.

The above presented modules and components of the platform 103 can beimplemented in hardware, firmware, software, or a combination thereof.In another embodiment, one or more of the modules 201-213 may beimplemented for operation by users as a platform, hosted solution, cloudbased service, or the like. It is noted that the various modules may beused selectively or in combination within the context of a locationbased service or transaction fulfillment service

FIGS. 3A-3C are flowcharts of processes for enabling transactions to beperformed securely within a defined geographic region, according tovarious embodiments. In one embodiment, the transient services platform103 performs processes 300, 310 and 318, and is implemented in, forinstance, a chip set including a processor and a memory as shown in FIG.6. For the purpose of illustration, the processes are described withrespect to FIG. 1. It is noted that the steps of the process may beperformed in any suitable order, as well as combined or separated in anysuitable manner.

In step 301 of process 300 (FIG. 3A), the transient services platform103 establishes, based on biometric authentication of a user, a limitedsession for completing a transaction. By way of example, the biometricauthentication may be performed locally at a user device 101.Alternatively, the location for facilitating the transaction may beequipped with various sensors and/or scanners for performing biometricauthentication. Under the latter scenario, the biometric authenticationprocedure is performed via a local computer terminal operating inconnection with a biometric application of the device.

As noted, the limited session may correspond to a length of timeallotted for completing the transaction. In addition, the limitedsession also refers to a limited time-to-live of a session onceestablished, e.g., only a one time transaction is enabled. Thisexecution also enables additional security to be associated with thetransactional process as repeat unauthorized attempts are eliminated.

In step 303, the platform 103 receives, based on a bonding procedureinitiated via a personal item of the user, a request to complete thetransaction through a transaction agent associated with a definedgeographic region. It is noted that the bonding procedure is carried outbetween the transaction agent and the personal item, and may includevalidation of a handshake between the respective agent and the personalitem (e.g., user device 101). The transient services platform 101 mayreceive, from the transaction agent, notification that the bond wasgenerated, thus triggering submission of the request.

Per step 305, the platform 103 determines, based on the definedgeographic region, a context to associate with the transaction. In step307, the platform 103 determines, based on the context, a transactiontype to associate with the transaction. As noted, the context maycorrespond to a particular transaction type for denoting variouscharacteristics, details or qualities associated with the transactionalrequest. In another step 307, the platform 103 initiates, based on theauthentication and the determined context, a transfer of credentialsassociated with the user to the transaction agent. As noted previously,the credentials are retrieved by the platform 103 from a credentialmanagement service assigned by the user.

In step 311 of process 310, the platform 103 receives a biometric inputfor authenticating an identity of the user. Per step 313, the platform103 also associates the user with a personal item based on the identity.As noted previously, this association may be based on cross-referencingof the personal item with data maintained in a profile databaseregarding the user. This is performed for enablement of the bondingprocedure between a respective device and a given transaction agent,e.g., as a further security or session establishment requirement, andnot for context determination purposes. In step 315, the platform 103authenticates a handshake associated with the bonding procedure. Thehandshake may be a gesture, sound or light signal that corresponds to asecret action associated with the user and/or the personal item of theuser.

In step 319 of process 318, the platform 103 initiates, based on theauthentication, a session with a credentials management serviceassociated with the user. Per step 321, the platform 103 also submits,based on the context, a request for credentials required for completionof the transaction. As noted previously, the context is defined based atleast in part on the accessing of scored grid data 108, includinganalysis of one or more scores, signal strengths and colors associatedwith a defined reference grid. In steps 323 and 325, the platform 103confirms completion of the transaction within the limited time periodand ends the session based on the confirmation.

FIGS. 4A-4C are diagrams depicting a user accessing the transientservices platform of FIG. 2 to perform a transaction via a transactionagent, according to various embodiments. For the purpose ofillustration, the figures are described from the perspective of anexemplary use case of a user attempting to access a security gate 415,as shown in FIG. 4B. Under this scenario, the user has already defined aset of credentials for accessing the facility associated with thesecurity gate (e.g., defined hours of entry, access level) in connectionwith the facility owner. In addition, the security gate 415 features anunmanned booth having configured thereto a transaction agent 105. Assuch, the user may initiate execution of a transaction session with thetransient services platform for fulfilling a gate access/facility entrytransaction.

In FIG. 4A, the user is shown performing the biometric authenticationprocedure according to different approaches, both of which pertain tolocal processing of biometric inputs. As noted, the biometricauthentication is a prerequisite security function required to enable atransaction session request to be submitted to the platform 103. In afirst approach, labeled OPTION 1, the user 401 employs a personal itemin the form of their mobile device 403 to perform the biometricauthentication. Under this scenario, a biometric application operatingat the mobile device 403 receives voice signals 405 corresponding to aphrase required to be recited by the user. While not shown or discussedextensively herein, the phrase may correspond to that required to berecited during an initial enrollment process. In addition to voice data,visual data pertaining to the user's face may also be collectedconcurrent with the voice signal 405. Additional biometric inputs suchas retinal, DNA, brain wave pattern and/or odor related data may also beperformed.

In the second approach labeled OPTION 2, instead of the local device,the user employs a device 407 positioned within proximity of thesecurity gate. For example, the security gate may feature a computerterminal or data entry/collection node that features one or more sensorsfor facilitating the gathering of biometric information. Under thisscenario, the user may be presented with various interface options forfacilitating the input gathering process as well as for accessing thetransient services platform 103. It is noted, with regards to OPTION 2,that the computer terminal and/or data entry/collection node may operatein conjunction with the user device 403. Regardless of implementation,the biometric authentication is performed locally, with results of theauthentication being used to enable a limited time session forcompletion of the transaction.

Once the user is authenticated, the user initiates a bonding procedurewith the transaction agent 105 of the security gate 415. This includes,for example, launching a bond application at the mobile device 403. Theuser then performs a secret pattern 411 corresponding to the executionof the bonding application. As noted previously, the pattern 411corresponds to a “handshake” or other triggering mechanism related to orinitiated by the user; the handshake being unique to the user. Whileshown as a motion/gesture in this example, the handshake for initiatinga bond may also be a sound, light signal or a combination thereof.

As a result of the secret pattern 411 being performed, a wirelesscommunication exchange (represented by the signal 429) is formulatedbetween the device and the transaction agent 105. This exchangesignifies validation of the handshaking procedure and hence an activebond between the transaction agent 105 of the security gate 415 and thedevice 403. Under this scenario, the bond application causes presentmentof a notification message 427 to the user interface of the device 403for indicating that bond detection mode is active. In certainembodiments, the notification message may also include a timer forindicating an amount of time remaining for the user to establish and/orcomplete a transaction session for accessing the gate 415.

In response to the bonding procedure being performed, the request toinitiate a gate entry transaction is facilitated. This is carried out byway of the communication network 105, wherein the transaction agentalerts the transient services platform 103 of a request to initiate atransaction. Consequently, the transient services platform 103 accessesscored grid data corresponding to the defined geographic regionassociated with the transaction agent 105. Based on information, theplatform 103 is then able to discern a limited number of possiblecorresponding transaction types associated with the defined region. Incertain embodiments, the platform 103 may utilize the credentials dataassociated with the user 401 or other corroborating information tofurther isolate the possibility to a single selection. Of note, a higherscore and/or signal strength associated with the given geographic regionalso factors into the determination process.

Once the context is determined, the credentials associated with the userwith respect to the transaction type associated with the security gate415 is accessed. These credentials are then transferred to thetransaction agent 105 to permit execution of the gate entry process, asshown in FIG. 4C. Also, a notification message 425 is presented to thedisplay of the device 403 is updated to reflect that entry (completion)of the transaction was fulfilled and granted in connection with thespecific credentials of the user 401.

The exemplary techniques and systems presented herein enables contextualcategories to be associated and scored in connection with a definedgeographic region. One advantage of the exemplary techniques and systemspresented herein is the ability of the transient service platform torecognize the context of a transaction without reliance upon user ordevice provided contextual information. Another advantage is thatmultiple methods of discovery for initiating a bond can be mixed andmatched automatically without requiring intervention from the user—e.g.,Bluetooth, Wi-Fi, NFC, wireless sensor network (WSN) and/or 3G/4Gtechnologies. As such, the transient services platform 103 facilitatespre-NFC and/or legacy mobile devices to benefit from the disseminationof transaction agents about a geographic region.

The processes described herein for enabling contextual categories to beassociated and scored in connection with a defined geographic region maybe implemented via software, hardware (e.g., general processor, DigitalSignal Processing (DSP) chip, an Application Specific Integrated Circuit(ASIC), Field Programmable Gate Arrays (FPGAs), etc.), firmware or acombination thereof. Such exemplary hardware for performing thedescribed functions is detailed below.

The processes described herein for enabling transactions to be performedsecurely within a defined geographic region may be implemented viasoftware, hardware (e.g., general processor, Digital Signal Processing(DSP) chip, an Application Specific Integrated Circuit (ASIC), FieldProgrammable Gate Arrays (FPGAs), etc.), firmware or a combinationthereof. Such exemplary hardware for performing the described functionsis detailed below.

FIG. 5 is a diagram of a computer system that can be used to implementvarious exemplary embodiments. The computer system 500 includes a bus501 or other communication mechanism for communicating information andone or more processors (of which one is shown) 503 coupled to the bus501 for processing information. The computer system 500 also includesmain memory 505, such as a random access memory (RAM) or other dynamicstorage device, coupled to the bus 501 for storing information andinstructions to be executed by the processor 503. Main memory 505 canalso be used for storing temporary variables or other intermediateinformation during execution of instructions by the processor 503. Thecomputer system 500 may further include a read only memory (ROM) 507 orother static storage device coupled to the bus 501 for storing staticinformation and instructions for the processor 503. A storage device509, such as a magnetic disk or optical disk, is coupled to the bus 501for persistently storing information and instructions.

The computer system 500 may be coupled via the bus 501 to a display 511,such as a cathode ray tube (CRT), liquid crystal display, active matrixdisplay, or plasma display, for displaying information to a computeruser. An input device 513, such as a keyboard including alphanumeric andother keys, is coupled to the bus 501 for communicating information andcommand selections to the processor 503. Another type of user inputdevice is a cursor control 515, such as a mouse, a trackball, or cursordirection keys, for communicating direction information and commandselections to the processor 503 and for adjusting cursor movement on thedisplay 511.

According to an embodiment of the invention, the processes describedherein are performed by the computer system 500, in response to theprocessor 503 executing an arrangement of instructions contained in mainmemory 505. Such instructions can be read into main memory 505 fromanother computer-readable medium, such as the storage device 509.Execution of the arrangement of instructions contained in main memory505 causes the processor 503 to perform the process steps describedherein. One or more processors in a multi-processing arrangement mayalso be employed to execute the instructions contained in main memory505. In alternative embodiments, hard-wired circuitry may be used inplace of or in combination with software instructions to implement theembodiment of the invention. Thus, embodiments of the invention are notlimited to any specific combination of hardware circuitry and software.

The computer system 500 also includes a communication interface 517coupled to bus 501. The communication interface 517 provides a two-waydata communication coupling to a network link 519 connected to a localnetwork 521. For example, the communication interface 517 may be adigital subscriber line (DSL) card or modem, an integrated servicesdigital network (ISDN) card, a cable modem, a telephone modem, or anyother communication interface to provide a data communication connectionto a corresponding type of communication line. As another example,communication interface 517 may be a local area network (LAN) card (e.g.for Ethernet™ or an Asynchronous Transfer Mode (ATM) network) to providea data communication connection to a compatible LAN. Wireless links canalso be implemented. In any such implementation, communication interface517 sends and receives electrical, electromagnetic, or optical signalsthat carry digital data streams representing various types ofinformation. Further, the communication interface 517 can includeperipheral interface devices, such as a Universal Serial Bus (USB)interface, a PCMCIA (Personal Computer Memory Card InternationalAssociation) interface, etc. Although a single communication interface517 is depicted in FIGS. 4B and 4C multiple communication interfaces canalso be employed.

The network link 519 typically provides data communication through oneor more networks to other data devices. For example, the network link519 may provide a connection through local network 521 to a hostcomputer 523, which has connectivity to a network 525 (e.g. a wide areanetwork (WAN) or the global packet data communication network nowcommonly referred to as the “Internet”) or to data equipment operated bya service provider. The local network 521 and the network 525 both useelectrical, electromagnetic, or optical signals to convey informationand instructions. The signals through the various networks and thesignals on the network link 519 and through the communication interface517, which communicate digital data with the computer system 500, areexemplary forms of carrier waves bearing the information andinstructions.

The computer system 500 can send messages and receive data, includingprogram code, through the network(s), the network link 519, and thecommunication interface 517. In the Internet example, a server (notshown) might transmit requested code belonging to an application programfor implementing an embodiment of the invention through the network 525,the local network 521 and the communication interface 517. The processor503 may execute the transmitted code while being received and/or storethe code in the storage device 509, or other non-volatile storage forlater execution. In this manner, the computer system 500 may obtainapplication code in the form of a carrier wave.

The term “computer-readable medium” as used herein refers to any mediumthat participates in providing instructions to the processor 503 forexecution. Such a medium may take many forms, including but not limitedto computer-readable storage medium ((or non-transitory)—e.g.,non-volatile media and volatile media), and transmission media.Non-volatile media include, for example, optical or magnetic disks, suchas the storage device 509. Volatile media include dynamic memory, suchas main memory 505. Transmission media include coaxial cables, copperwire and fiber optics, including the wires that comprise the bus 501.Transmission media can also take the form of acoustic, optical, orelectromagnetic waves, such as those generated during radio frequency(RF) and infrared (IR) data communications. Common forms ofcomputer-readable media include, for example, a floppy disk, a flexibledisk, hard disk, magnetic tape, any other magnetic medium, a CD-ROM,CDRW, DVD, any other optical medium, punch cards, paper tape, opticalmark sheets, any other physical medium with patterns of holes or otheroptically recognizable indicia, a RAM, a PROM, and EPROM, a FLASH-EPROM,any other memory chip or cartridge, a carrier wave, or any other mediumfrom which a computer can read.

Various forms of computer-readable media may be involved in providinginstructions to a processor for execution. For example, the instructionsfor carrying out at least part of the embodiments of the invention mayinitially be borne on a magnetic disk of a remote computer. In such ascenario, the remote computer loads the instructions into main memoryand sends the instructions over a telephone line using a modem. A modemof a local computer system receives the data on the telephone line anduses an infrared transmitter to convert the data to an infrared signaland transmit the infrared signal to a portable computing device, such asa personal digital assistant (PDA) or a laptop. An infrared detector onthe portable computing device receives the information and instructionsborne by the infrared signal and places the data on a bus. The busconveys the data to main memory, from which a processor retrieves andexecutes the instructions. The instructions received by main memory canoptionally be stored on storage device either before or after executionby processor.

FIG. 6 illustrates a chip set or chip 600 upon which an embodiment ofthe invention may be implemented. Chip set 600 is programmed to enabletransactions to be performed securely within a defined geographic regionas described herein and includes, for instance, the processor and memorycomponents described with respect to FIG. 5 incorporated in one or morephysical packages (e.g., chips). By way of example, a physical packageincludes an arrangement of one or more materials, components, and/orwires on a structural assembly (e.g., a baseboard) to provide one ormore characteristics such as physical strength, conservation of size,and/or limitation of electrical interaction. It is contemplated that incertain embodiments the chip set 600 can be implemented in a singlechip. It is further contemplated that in certain embodiments the chipset or chip 600 can be implemented as a single “system on a chip.” It isfurther contemplated that in certain embodiments a separate ASIC wouldnot be used, for example, and that all relevant functions as disclosedherein would be performed by a processor or processors. Chip set or chip600, or a portion thereof, constitutes a means for performing one ormore steps of enabling transactions to be performed securely within adefined geographic region.

In one embodiment, the chip set or chip 600 includes a communicationmechanism such as a bus 601 for passing information among the componentsof the chip set 600. A processor 603 has connectivity to the bus 601 toexecute instructions and process information stored in, for example, amemory 605. The processor 603 may include one or more processing coreswith each core configured to perform independently. A multi-coreprocessor enables multiprocessing within a single physical package.Examples of a multi-core processor include two, four, eight, or greaternumbers of processing cores. Alternatively or in addition, the processor603 may include one or more microprocessors configured in tandem via thebus 601 to enable independent execution of instructions, pipelining, andmultithreading. The processor 603 may also be accompanied with one ormore specialized components to perform certain processing functions andtasks such as one or more digital signal processors (DSP) 607, or one ormore application-specific integrated circuits (ASIC) 609. A DSP 607typically is configured to process real-world signals (e.g., sound) inreal time independently of the processor 603. Similarly, an ASIC 609 canbe configured to performed specialized functions not easily performed bya more general purpose processor. Other specialized components to aid inperforming the inventive functions described herein may include one ormore field programmable gate arrays (FPGA) (not shown), one or morecontrollers (not shown), or one or more other special-purpose computerchips.

In one embodiment, the chip set or chip 600 includes merely one or moreprocessors and some software and/or firmware supporting and/or relatingto and/or for the one or more processors.

The processor 603 and accompanying components have connectivity to thememory 605 via the bus 601. The memory 605 includes both dynamic memory(e.g., RAM, magnetic disk, writable optical disk, etc.) and staticmemory (e.g., ROM, CD-ROM, etc.) for storing executable instructionsthat when executed perform the inventive steps described herein toenable transactions to be performed securely within a defined geographicregion. The memory 605 also stores the data associated with or generatedby the execution of the inventive steps.

While certain exemplary embodiments and implementations have beendescribed herein, other embodiments and modifications will be apparentfrom this description. Accordingly, the invention is not limited to suchembodiments, but rather to the broader scope of the presented claims andvarious obvious modifications and equivalent arrangements.

What is claimed is:
 1. A machine-implemented method comprising: establishing, based on biometric authentication of a user, a limited session for completing a transaction; receiving, based on a bonding procedure initiated via a personal item of the user, a request to complete the transaction through a transaction agent associated with a defined geographic region; determining, based on the defined geographic region, a context to associate with the transaction; and initiating, based on the authentication and the determined context, a transfer of credentials associated with the user to the transaction agent wherein the bonding procedure comprises authenticating a handshake associated with the bonding procedure, and wherein the handshake corresponds to a secret action associated with the user and the personal item.
 2. A machine-implemented method comprising: establishing, based on biometric authentication of a user, a limited session for completing a transaction; receiving, based on a bonding procedure initiated via a personal item of the user, a request to complete the transaction through a transaction agent associated with a defined geographic determining, based on the defined geographic region, a context to associate with the transaction; determining, based on the context, a transaction type to associate with the transaction; and initiating, based on the authentication and the determined context, a transfer of credentials associated with the user to the transaction agent, wherein the transaction type is identified based on a signal strength associated with the defined geographic region, the signal strength indicating a level of affinity between the transaction agent and the transaction type.
 3. A machine-implemented method of claim 1, further comprising: receiving a biometric input for authenticating an identity of the user; and associating the user with a personal item based on the identity, wherein the personal item is a mobile device, a transmitter or a sensor based card.
 4. A machine-implemented method of claim 1, wherein the handshake is a gesture, a sound or a light signal.
 5. A machine-implemented method of claim 1, wherein the handshake is performed within close proximity of the transactional agent within the limited time period corresponding to the session.
 6. A machine-implemented method of claim 1, further comprising: initiating, based on the authentication, a session with a credentials management system associated with the user.
 7. A machine-implemented method of claim 1, further comprising: submitting, based on the context, a request for credentials required for completion of the transaction, wherein the credentials include information for completing the transaction based on the context.
 8. A machine-implemented method of claim 1, further comprising: confirming completion of the transaction within the limited time period; and ending the session based on the confirmation.
 9. A machine-implemented method of claim 1, wherein the defined geographic region is based on a national grid system.
 10. An apparatus comprising: at least one processor; and at least one memory including computer program code for one or more programs, the at least one memory and the computer program code configured to, with the at least one processor, cause the apparatus to perform at least the following, establish, based on biometric authentication of a user, a limited session for completing a transaction; receive, based on a bonding procedure initiated via a personal item of the user, a request to complete the transaction through a transaction agent associated with a defined geographic region; determine, based on the defined geographic region, a context to associate with the transaction; and initiate, based on the authentication and the determined context, a transfer of credentials associated with the user to the transaction agent, wherein the bonding procedure comprises authenticating a handshake associated with the bonding procedure, and wherein the handshake corresponds to a secret action associated with the user and the personal item.
 11. An apparatus comprising: at least one processor; and at least one memory including computer program code for one or more programs, the at least one memory and the computer program code configured to, with the at least one processor cause the apparatus to perform at least the following, establish, based on biometric authentication of a user, a limited session for completing a transaction; receive, based on a bonding procedure initiated via a personal item of the user, a request to complete the transaction through a transaction agent associated with a defined geographic region; determine, based on the defined geographic region, a context to associate with the transaction; determine, based on the context, a transaction type to associate with the transaction; and initiate, based on the authentication and the determined context, a transfer of credentials associated with the user to the transaction agent, wherein the transaction type is identified based on a signal strength associated with the defined geographic region, the signal strength indicating a level of affinity between the transaction agent and the transaction type.
 12. An apparatus of claim 10, further comprising: receiving a biometric input for authenticating an identity of the user; and associating the user with a personal item based on the identity, wherein the personal item is a mobile device, a transmitter or a sensor based card.
 13. An apparatus of claim 10, wherein the handshake is a gesture, a sound or a light signal.
 14. An apparatus of claim 10, wherein the handshake is performed within close proximity of the transactional agent within the limited time period corresponding to the session.
 15. An apparatus of claim 10, further comprising: initiating, based on the authentication, a session with a credentials management system associated with the user.
 16. An apparatus of claim 10, further comprising: submitting, based on the context, a request for credentials required for completion of the transaction, wherein the credentials include information for completing the transaction based on the context.
 17. An apparatus of claim 10, further comprising: confirming completion of the transaction within the limited time period; and ending the session based on the confirmation.
 18. An apparatus of claim 10, wherein the defined geographic region is based on a national grid system. 